2017 Microsoft Outlook Vulnerability Targeted by Threat Group APT33

Hackers exploited a two-year-old vulnerability in Microsoft Outlook targeting U.S. government networks.

A warning issued by U.S. Cyber Command talked about the active exploitation of vulnerability CVE-2017-1174 and installation of remote access Trojans and other types of malware. U.S. Cyber Command firmly endorses immediate patching of the vulnerability to avert exploitation.

The vulnerability is a sandbox escape vulnerability that an attacker can exploit if in possession of the user’s outlook credentials. The credentials can be acquired through a phishing attack or some other means. The attacker can then alter the home page of the user to a page that has embedded code triggering the download and execution of malware every time Outlook is opened.

U.S. Cyber Command did not mention the threat actors responsible for the attacks, though the security researchers of Palo Alto Networks, Chronicale, FireEye, and others have associated the attacks to APT33, the cyberespionage group backed by Iran.

It’s been a year since APT33 started exploiting this vulnerability. The group did not use phishing but brute force attacks through commonly used passwords. A regular attack targets multiple accounts. After guessing multiple passwords, the attacker exploits the Outlook vulnerability and downloads malware on a number of devices linked to the network.

Although the group had attacked U.S. entities previously, it activities are focused in the Middle East. The increased attacks on U.S. targets is thought to be associated to the growing tensions between Iran and America.

This warning by the U.S. Cyber Command was announced just several days after Director Chris Krebs of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave a warning on Twitter regarding the wiper malware attacks of the Iran-backed threat group. That alert was given subsequent to the increase of cyberattacks on U.S. companies and government agencies that are linked to Iran. Symantec likewise gave a warning in March this year concerning more attacks by the APT33 by exploiting a vulnerability in WinRAR.

FireEye researchers also discovered in 2017 that APT33, which was also called Shamoon, had links to Iran. The group is thought to have executed various cyberattacks all over the Middle East, including the cyberattack on oil company Saudi Aramco in 2012. Although the malware used in the attacks is also called APT33, it is not confirmed that the threat group APT33 has anything to do with them.

Brandon Levene, Chronicle’s head of applied intelligence, examined malware samples presented by U.S. Cyber Command and discovered a number of commonalities between the most recent attacks and the 2016 Shamoon malware campaigns. The latter exploited a vulnerability and implemented a PowerShell script to allow the download of the Pupy remote access Trojan. There are code parallels in the downloaders utilized in the most recent attacks.

Levene likewise examined three malicious tools used in the latest attacks. The tools had diverse applications yet made it possible for the attackers to access a server and perform a variety of malicious actions. APT33 previously used identical tools in attacks to remotely implement code on vulnerable devices. Andrew Thompson of FireEye also ascribed the most recent attacks to APT33.

The U.S. is strengthening its cyber offense against Iran. Thus, it is likely that retaliatory attacks on U.S. entities will persist with the rise of tensions.